Source(s): years of personal experience as a search officer, exhibits officer, and search commander, working with UK police and other agencies. However, I have only a passing knowledge of French procedures. (I would hope that they have a similar, robust-enough system.)
Recovery/seizure of evidence
When an item is seized/recovered, it is placed in a bag which is sealed with a plastic tag ('bagged and tagged'). IME, electronic devices and possibly-sensitive items were placed in differently coloured bags instead of clear, so it was easier to identify and separate them.
(Notes - Use of PNB (notebook) depends on the search briefing, and the individual proclivity of the officer:
- recording of every item found. Every page should be initialled. If they are discovering large amounts of items, this is not always possible.
- recording of only unusual items found, or items important to the investigation.
We tended towards the latter as the exhibits officer would produce a master list of all the items found, however some officers still recorded everything.)
A label is then completed with a detailed description of the item and location found, signed and dated by the officer who found it.
The item(s) would be taken to the person(s) logging items found and assigned a unique number. Once an item gets this far into the process, it is very, very difficult to remove it without a trace. It is a Very Big Deal if
anything is lost, and there would be a trace of it (i.e. description of a mobile would include IMEI). All items would be gathered together, counted, checked and double-checked.
If the item is deemed as potentially important, a senior officer's attention would be brought to it and it would be marked as a priority to process. I would think any recognisable electronic devices would come in this category.
The number one rule for electronic devices is that you do not attempt to operate the device under any circumstances. Forget what you see on TV with the police picking up phones and pressing buttons, or answering calls. Evidence gained in that manner would be unusable in a court of law in England or Wales (Interception of Communications/RIPA/PACE). The fact that a person has operated the device can also damage the integrity of any evidence discovered, and it is likely to leave a trace.
The ONLY exception to that rule that I experienced is for devices that will lock if you leave them for more than a few seconds/minutes, which are renowned for being difficult to unlock. (I know of someone who had to babysit one particular PDA device to keep it locking while the digital forensics team on site ran around looking for the correct cable to begin a download.) This does not apply for this case, as all devices would already be either off or on stand-by/locked automatically.
I can't recall whether the latest procedure is to turn seized phones immediately off, or whether to leave them on - however I've seen them being placed inside metal containers to ensure no further interaction with a mobile network is made.
Processing of electronic evidence
IME, mobiles were often the first things that were processed, especially in the days before universal chargers. (If the matching cable was not seized, the download had to be made before the battery expired.) The item(s) would be signed out by the digital forensic analyst, and data recovery would be attempted in a room or container impervious to mobile network signals. It may be processed further by the forensic analyst, or by a member of the investigative team, or another specialist. The resulting effort would be saved on a shared drive which the entire investigative team may have access to (it depends what permissions have been agreed upon).
Onto the latest reports. Apologies for the source - it was either CNN or the DM. I have quoted the article to directly analyse what has been said, and highlighted the paragraphs relevant to this matter (although I understand the perils of translation may have slightly changed the context).
Video of flight's final seconds?
Reports say a cell phone video shows the nightmarish final seconds of Germanwings Flight 9525, but a police spokesman said the accounts were "completely wrong."
French magazine Paris Match and German newspaper Bild reported that a video recovered from a phone at the wreckage site showed the inside of the plane moments before it crashed.
"One can hear cries of 'My God' in several languages," Paris Match reported. "Metallic banging can also be heard more than three times, perhaps of the pilot trying to open the cockpit door with a heavy object. Towards the end, after a heavy shake, stronger than the others, the screaming intensifies. Then nothing."
The two publications described the video, but did not post it on their websites. The publications reported that they watched the video, which was found by a source close to the investigation. (1)
"It is a very disturbing scene," said Julian Reichelt, editor-in-chief of Bild online.
An official with France's accident investigation agency, the BEA, said the agency is not aware of any such video.
Lt. Col. Jean-Marc Menichini, a French Gendarmerie spokesman in charge of communications on rescue efforts around the Germanwings crash site, told CNN that the reports were "completely wrong" and "unwarranted." Cell phones have been collected at the site, he said, but that they "hadn't been exploited yet."(2)
Menichini said he believed the cell phones would need to be sent to the Criminal Research Institute in Rosny sous-Bois, near Paris, in order to be analyzed by specialized technicians working hand-in-hand with investigators. But none of the cell phones found so far have been sent to the institute, Menichini said.
Asked whether staff involved in the search could have leaked a memory card to the media, Menichini answered with a categorical "no." (3)
Reichelt told "Erin Burnett: Outfront" that he had watched the video and stood by the report, saying Bild and Paris Match are "very confident" that the clip is real.
He noted that investigators only revealed they'd recovered cell phones from the crash site after Bild and Paris Match published their reports.
"That is something we did not know before. ... Overall we can say many things of the investigation weren't revealed by the investigation at the beginning," he said.
Germanwings co-pilot Andreas Lubitz reported depression - CNN.com
The publications reported that they watched the video, which was found by a source close to the investigation. (1)
Does this incriminate an investigator, or a more senior official on site?
...reports were "completely wrong" and "unwarranted." Cell phones have been collected at the site, he said, but that they "hadn't been exploited yet."(2)
This tallies with the procedures I have experienced.
Asked whether staff involved in the search could have leaked a memory card to the media, Menichini answered with a categorical "no." (3)
IF he is incorrect, someone has short-cutted the entire established recovery procedure by stealing either data (operating an electronic device), or stealing the device itself.
IF the videos are not faked, how many have been found? If they are numerous, what is the chance of one or more being 'stolen', and what is the chance of the stolen device containing usable, relevant footage or other data? Slim? And what happens to physical items that are stolen that aren't deemed to be money makers or relevant? Does the thief just throw them away, or attempt to return them to the site?
In summary, some possible options (not exhaustive):
1. the footage has been faked, or does not exist.
2. an investigator on the ground has found a device, but either taken a copy or neglected to bag and tag it into the evidence chain, and sequestered it away to leak to press.
3. whoever is logging items recovered has sequestered the item or a copy of evidence away.
4. the item has been declared 'sensitive', removed from records but has been leaked at the processing stage.
5. the item has been processed, and the thief has stolen a copy of the information it contains. (Not according to Menichini.)
How to discover the truth? Interrogation of the search officers, exhibits officer and any database should show traces. These are minor figures though, senior officers are the only ones with the power to access much information, and cover their tracks.
IMO, if these videos turn out to be genuine, it irreparably damages the credibility of the entire investigation. Personally, the whole issue makes me feel physically sick, to think there is someone actively damaging such an important investigation, possibly for personal gain. (I've worked shoulder-to-shoulder with people on a 'porous' investigation - it was very detrimental to the case and to the health of the team members to be under suspicion.)
If the integrity of the chain of evidence is damaged, then how are we to trust the rest of the investigative process, including whatever data may be discovered on the FDR?